From cdbd713ed0a07b6b3de402fc98adb2d591ece70a Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Tue, 3 Feb 2026 04:43:13 +0000
Subject: [PATCH 01/12] Update net.sourceforge.pmd to v7.21.0

---
 pom.xml                      | 4 ++--
 template-placeholder/pom.xml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index d062774..803cb4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,12 +83,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.20.0</version>
+								<version>7.21.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.20.0</version>
+								<version>7.21.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 597d823..cdb13a0 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -253,12 +253,12 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.20.0</version>
+								<version>7.21.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.20.0</version>
+								<version>7.21.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>

From 78e6f922261869bc7a6f939d185e46e35ed3f0aa Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Wed, 4 Feb 2026 12:01:54 +0100
Subject: [PATCH 02/12] Updat to PMD 7.21.0

---
 .config/pmd/java/ruleset.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index e96576b..e2325a9 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -146,7 +146,6 @@
 	<rule ref="category/java/errorprone.xml/CollectionTypeMismatch"/>
 	<rule ref="category/java/errorprone.xml/ComparisonWithNaN"/>
 	<rule ref="category/java/errorprone.xml/DoNotCallGarbageCollectionExplicitly"/>
-	<rule ref="category/java/errorprone.xml/DontImportSun"/>
 	<rule ref="category/java/errorprone.xml/DontUseFloatTypeForLoopIndices"/>
 	<rule ref="category/java/errorprone.xml/EqualsNull"/>
 	<rule ref="category/java/errorprone.xml/IdempotentOperations"/>
@@ -164,6 +163,7 @@
 	<rule ref="category/java/errorprone.xml/SingletonClassReturningNewInstance"/>
 	<rule ref="category/java/errorprone.xml/UnconditionalIfStatement"/>
 	<rule ref="category/java/errorprone.xml/UnnecessaryCaseChange"/>
+	<rule ref="category/java/errorprone.xml/UnsupportedJdkApiUsage"/>
 	<rule ref="category/java/errorprone.xml/UselessPureMethodCall"/>
 
 

From 076ea0fc43b6354042220d357fa595eeebf32f0b Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Fri, 6 Feb 2026 04:44:15 +0000
Subject: [PATCH 03/12] Update dependency com.puppycrawl.tools:checkstyle to
 v13.2.0

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index d062774..45d9bd4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,7 +45,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.1.0</version>
+								<version>13.2.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 597d823..0ea5a26 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -215,7 +215,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.1.0</version>
+								<version>13.2.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>

From 76cf22386537f750c979b63658ab3459f6b8586c Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Fri, 20 Feb 2026 08:43:59 +0100
Subject: [PATCH 04/12] Disallow classes ending with Helper or Util

Fixes https://github.com/xdev-software/java-setup-template/issues/7
---
 .config/checkstyle/checkstyle.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.config/checkstyle/checkstyle.xml b/.config/checkstyle/checkstyle.xml
index 463a629..262c9f9 100644
--- a/.config/checkstyle/checkstyle.xml
+++ b/.config/checkstyle/checkstyle.xml
@@ -79,6 +79,11 @@
 			<property name="format" value="^(?!(.*(Map|List|Set))$).+$"/>
 			<property name="tokens" value="PARAMETER_DEF, VARIABLE_DEF, PATTERN_VARIABLE_DEF, RECORD_COMPONENT_DEF, LAMBDA"/>
 		</module>
+		<!-- Name classes correctly and don't use generic name for everything -->
+		<module name="IllegalIdentifierName">
+			<property name="format" value="^(?!(.*(Helper|Util))$).+$"/>
+			<property name="tokens" value=" CLASS_DEF"/>
+		</module>
 		<module name="IllegalImport"/>
 		<module name="InterfaceIsType"/>
 		<module name="JavadocStyle">

From 838f350c5da393d455f0b1de29397762af9111ac Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Mon, 23 Feb 2026 09:54:21 +0100
Subject: [PATCH 05/12] Avoid using Optional#get

Fixes https://github.com/xdev-software/java-setup-template/issues/8
---
 .config/pmd/java/ruleset.xml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.config/pmd/java/ruleset.xml b/.config/pmd/java/ruleset.xml
index e2325a9..9dc7a0f 100644
--- a/.config/pmd/java/ruleset.xml
+++ b/.config/pmd/java/ruleset.xml
@@ -208,6 +208,36 @@
 	<rule ref="category/java/security.xml"/>
 
 
+	<rule name="AvoidOptionalGet"
+		language="java"
+		message="Avoid using Optional#get"
+		class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+		externalInfoUrl="https://stackoverflow.com/a/49159955">
+		<description>
+`Optional#get` can be interpreted as a getter by developers, however this is not the case as it throws an exception when empty.
+
+It should be replaced by
+* doing a mapping directly using `.map` or `.ifPresent`
+* using the preferred `.orElseThrow`, `.orElse` or `.or` methods
+
+Java Developer Brian Goetz also writes regarding this topic:
+
+> Java 8 was a huge improvement to the platform, but one of the few mistakes we made was the naming of `Optional.get()`, because the name just invites people to call it without calling `isPresent()`, undermining the whole point of using `Optional` in the first place.
+>
+> During the Java 9 time frame, we proposed to deprecate `Optional.get()`, but the public response to that was ... let's say cold. As a smaller step, we introduced `orElseThrow()` in 10 (see [JDK-8140281](https://bugs.openjdk.java.net/browse/JDK-8140281)) as a more transparently named synonym for the current pernicious behavior of `get()`. IDEs warn on unconditional use of `get()`, but not on `orElseThrow()`, which is a step forward in teaching people to code better. The question is, in a sense, a "glass half empty" view of the current situation; `get()` is still problematic.
+		</description>
+		<priority>3</priority>
+		<properties>
+			<property name="xpath">
+				<value>
+<![CDATA[
+//MethodCall[pmd-java:matchesSig('java.util.Optional#get()')]
+]]>
+				</value>
+			</property>
+		</properties>
+	</rule>
+
 	<rule name="AvoidStringBuilderOrBuffer"
 		language="java"
 		message="StringBuilder/StringBuffer should not be used"

From bd6498d2786d0178e3c54f7088af754bb0aafd90 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Thu, 26 Feb 2026 04:42:27 +0000
Subject: [PATCH 06/12] Update lycheeverse/lychee-action digest to 8646ba3

---
 .github/workflows/broken-links.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index e6c3385..d768259 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -18,7 +18,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

From 8b6624e632e759013ba7aa24ba6ec36f4951f500 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Thu, 26 Feb 2026 04:45:51 +0000
Subject: [PATCH 07/12] Update lycheeverse/lychee-action digest to 8646ba3

---
 .github/workflows/broken-links.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml
index 2675c8b..5b50d06 100644
--- a/.github/workflows/broken-links.yml
+++ b/.github/workflows/broken-links.yml
@@ -19,7 +19,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
           fail: false # Don't fail on broken links, create an issue instead
 

From a53730bb4a5a0765d9972d93dd5884253f67b619 Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Fri, 27 Feb 2026 04:43:58 +0000
Subject: [PATCH 08/12] Update actions/upload-artifact action to v7

---
 .github/workflows/check-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-build.yml b/.github/workflows/check-build.yml
index b1a6d66..b5d7995 100644
--- a/.github/workflows/check-build.yml
+++ b/.github/workflows/check-build.yml
@@ -69,7 +69,7 @@ jobs:
         fi
 
     - name: Upload demo files
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: demo-files-java-${{ matrix.java }}
         path: ${{ env.DEMO_MAVEN_MODULE }}/target/${{ env.DEMO_MAVEN_MODULE }}.jar
@@ -152,7 +152,7 @@ jobs:
 
     - name: Upload report
       if: always()
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: pmd-report
         if-no-files-found: ignore

From 0dcf9cfe57c8d8c8ace1253845b67afb8bd47bda Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Sun, 1 Mar 2026 04:48:23 +0000
Subject: [PATCH 09/12] Update dependency com.puppycrawl.tools:checkstyle to
 v13.3.0

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index a219280..e214afa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,7 +45,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.2.0</version>
+								<version>13.3.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 9e08842..2547c6f 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -215,7 +215,7 @@
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>13.2.0</version>
+								<version>13.3.0</version>
 							</dependency>
 						</dependencies>
 						<configuration>

From 77e37f981ecf107f1ebb690beb75262b3314b38e Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Mon, 2 Mar 2026 04:46:12 +0000
Subject: [PATCH 10/12] Update dependency net.sourceforge.pmd:pmd-core to
 v7.22.0 [SECURITY]

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index a219280..4cac133 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,7 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 9e08842..4a20d6d 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -253,7 +253,7 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-core</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>

From 961291c3795ca9f249ce028fe98fe1524da6b0fb Mon Sep 17 00:00:00 2001
From: XDEV Renovate Bot <renovate@xdev-software.de>
Date: Mon, 2 Mar 2026 04:46:14 +0000
Subject: [PATCH 11/12] Update dependency net.sourceforge.pmd:pmd-java to
 v7.22.0

---
 pom.xml                      | 2 +-
 template-placeholder/pom.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index a219280..97f7b18 100644
--- a/pom.xml
+++ b/pom.xml
@@ -88,7 +88,7 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>
diff --git a/template-placeholder/pom.xml b/template-placeholder/pom.xml
index 9e08842..3831400 100644
--- a/template-placeholder/pom.xml
+++ b/template-placeholder/pom.xml
@@ -258,7 +258,7 @@
 							<dependency>
 								<groupId>net.sourceforge.pmd</groupId>
 								<artifactId>pmd-java</artifactId>
-								<version>7.21.0</version>
+								<version>7.22.0</version>
 							</dependency>
 						</dependencies>
 					</plugin>

From 6f9b5b39e904c2167782591b14a645b1fd49b730 Mon Sep 17 00:00:00 2001
From: AB <a.bierler@xdev-software.de>
Date: Mon, 2 Mar 2026 12:00:46 +0100
Subject: [PATCH 12/12] Create report-gha-workflow-security-problems.yml

Fixes https://github.com/xdev-software/base-template/issues/13
---
 .../report-gha-workflow-security-problems.yml | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 .github/workflows/report-gha-workflow-security-problems.yml

diff --git a/.github/workflows/report-gha-workflow-security-problems.yml b/.github/workflows/report-gha-workflow-security-problems.yml
new file mode 100644
index 0000000..b17aa53
--- /dev/null
+++ b/.github/workflows/report-gha-workflow-security-problems.yml
@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ develop ]
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  issues: write
+
+jobs:
+  prt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Only run this in our repos (Prevent notification spam by forks)
+    if: ${{ github.repository_owner == 'xdev-software' }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Check
+        id: check
+        run: |
+          grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+        working-directory: .github/workflows
+
+      - name: Find already existing issue
+        id: find-issue
+        if: ${{ !cancelled() }}
+        run: |
+          echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Close issue if everything is fine
+        if: ${{ success() && steps.find-issue.outputs.number != '' }}
+        run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create report
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        run: |
+          echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+          echo '' >> reported.md
+          echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+          echo '' >> reported.md
+          echo '```' >> reported.md
+          cat .github/workflows/reported.txt >> reported.md
+          echo '```' >> reported.md
+          cat reported.md
+
+      - name: Create Issue From File
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+        with:
+          issue-number: ${{ steps.find-issue.outputs.number }}
+          title: 'Incorrectly configure GHA workflow (prt)'
+          content-filepath: ./reported.md
+          labels: bug, automated